From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id F0ADEA0350 for ; Mon, 28 Feb 2022 22:23:31 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id EA19440140; Mon, 28 Feb 2022 22:23:31 +0100 (CET) Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52]) by mails.dpdk.org (Postfix) with ESMTP id A66CA40140 for ; Mon, 28 Feb 2022 22:23:30 +0100 (CET) Received: by mail-ej1-f52.google.com with SMTP id a23so27477477eju.3 for ; Mon, 28 Feb 2022 13:23:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rIHS3FKJmvDzNxc7ZGMmR3aiJvWY5yBHwj9H1QIYCLM=; b=JbvID+fnBtEH0MLXl49Db33K+uTV7QWqbkSPHUhc1HHlQPCb30m3xfFewNeIV2ICiq tMSWyt7n2HrPjjCS1N6qGwM0NdmK6pfGZ2bMYnt7EDhy+5nqiIfgnRF5bALVy9yrnlRM XEO4jrDvDdaaAbaGiDoBDoJUiL4yQBTjMxoma/6xvY64NNapIRldZQygNQYNbkqhUef0 JAEf6qz5EOzQOnHwsOTErjd9/nIL60xSTUMVVHzEELxzv2IyomGZR0KM6Z5a1HWi7roX eQx+r5zzedU7o25VFrRE/vUunpUoKSmtxItIvgK1O8hZ3OVv8wKyJ7VhVfKvrw8BAVw0 2M3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rIHS3FKJmvDzNxc7ZGMmR3aiJvWY5yBHwj9H1QIYCLM=; b=Ax9LnM7io7e2NPf1LWpSL+i4YOA4HZTzZJ9vR5iZxMpdv0+6yX7A00Ch+ErL3EhPtU 4UKheJH/AN6MgQ0TNq7/rjwY0VVjbyBGv19kB0aJiThiLyn97fH+75N+0uoHWCVj8wrG vrGtObx7QGnBKvbQ/+bRjCYDXkQzPcuN6RqCmajObQopqjEL2NXy6U7GNQtSTl5CxUfC BwE0+DQzlZhLL0K8EIlAX6ORzEoWPh/3ZylLTggURFu8TxprjSX1pQpbLlofX2wyFCEA CJRsgqdrPwdl0PUpADn0JAA+BwBpGstLsRh7YdM4bqz3HKViWwJHvu9xaNeRgen4Hhv4 3WFQ== X-Gm-Message-State: AOAM530bo/nkRH4aZaNx8JHRl+QyDmD99KPmduDnYlhZfbus0A+tSrLe x6eXXt5NSyy00szTQ0m+x1s= X-Google-Smtp-Source: ABdhPJyk7Pu7NACicZ12wEELD9dserQNlYx8lCNqh29BrG6Ux+6jjdM2gOc2/4Ecx9HyXpiP46s9sw== X-Received: by 2002:a17:906:6d04:b0:6d6:e280:2e47 with SMTP id m4-20020a1709066d0400b006d6e2802e47mr976227ejr.50.1646083410370; Mon, 28 Feb 2022 13:23:30 -0800 (PST) Received: from localhost ([137.220.125.106]) by smtp.gmail.com with ESMTPSA id gb11-20020a170907960b00b006d20acf7e36sm4879319ejc.144.2022.02.28.13.23.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Feb 2022 13:23:29 -0800 (PST) From: luca.boccassi@gmail.com To: Huisong Li Cc: Min Hu , Ferruh Yigit , dpdk stable Subject: patch 'kni: fix freeing order in device release' has been queued to stable release 20.11.5 Date: Mon, 28 Feb 2022 21:20:47 +0000 Message-Id: <20220228212047.3341966-51-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220228212047.3341966-1-luca.boccassi@gmail.com> References: <20220218123931.1749595-122-luca.boccassi@gmail.com> <20220228212047.3341966-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 20.11.5 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 03/02/22. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/bluca/dpdk-stable This queued commit can be viewed at: https://github.com/bluca/dpdk-stable/commit/8d6bbbc514d0e804595702dd61a4ff626c0a7400 Thanks. Luca Boccassi --- >From 8d6bbbc514d0e804595702dd61a4ff626c0a7400 Mon Sep 17 00:00:00 2001 From: Huisong Li Date: Wed, 9 Feb 2022 15:35:25 +0800 Subject: [PATCH] kni: fix freeing order in device release [ upstream commit d57f2899e29a74fffeb876863e1f570084d6437b ] The "kni_dev" is the private data of the "net_device" in kni, and allocated with the "net_device" by calling "alloc_netdev()". The "net_device" is freed by calling "free_netdev()" when kni release. The freed memory includes the "kni_dev". So after "kni_dev" should not be accessed after "net_device" is released. Fixes: e77fec694936 ("kni: fix possible mbuf leaks and speed up port release") KASAN trace: [ 85.263717] ========================================================== [ 85.264418] BUG: KASAN: use-after-free in kni_net_release_fifo_phy+ 0x30/0x84 [rte_kni] [ 85.265139] Read of size 8 at addr ffff000260668d60 by task kni/341 [ 85.265703] [ 85.265857] CPU: 0 PID: 341 Comm: kni Tainted: G U O 5.15.0-rc4+ #1 [ 85.266525] Hardware name: linux,dummy-virt (DT) [ 85.266968] Call trace: [ 85.267220] dump_backtrace+0x0/0x2d0 [ 85.267591] show_stack+0x24/0x30 [ 85.267924] dump_stack_lvl+0x8c/0xb8 [ 85.268294] print_address_description.constprop.0+0x74/0x2b8 [ 85.268855] kasan_report+0x1e4/0x200 [ 85.269224] __asan_load8+0x98/0xd4 [ 85.269577] kni_net_release_fifo_phy+0x30/0x84 [rte_kni] [ 85.270116] kni_dev_remove.isra.0+0x50/0x64 [rte_kni] [ 85.270630] kni_ioctl_release+0x254/0x320 [rte_kni] [ 85.271136] kni_ioctl+0x64/0xb0 [rte_kni] [ 85.271553] __arm64_sys_ioctl+0xdc/0x120 [ 85.271955] invoke_syscall+0x68/0x1a0 [ 85.272332] el0_svc_common.constprop.0+0x90/0x200 [ 85.272807] do_el0_svc+0x94/0xa4 [ 85.273144] el0_svc+0x78/0x240 [ 85.273463] el0t_64_sync_handler+0x1a8/0x1b0 [ 85.273895] el0t_64_sync+0x1a0/0x1a4 [ 85.274264] [ 85.274427] Allocated by task 341: [ 85.274767] kasan_save_stack+0x2c/0x60 [ 85.275157] __kasan_kmalloc+0x90/0xb4 [ 85.275533] __kmalloc_node+0x230/0x594 [ 85.275917] kvmalloc_node+0x8c/0x190 [ 85.276286] alloc_netdev_mqs+0x70/0x6b0 [ 85.276678] kni_ioctl_create+0x224/0xf40 [rte_kni] [ 85.277166] kni_ioctl+0x9c/0xb0 [rte_kni] [ 85.277581] __arm64_sys_ioctl+0xdc/0x120 [ 85.277980] invoke_syscall+0x68/0x1a0 [ 85.278357] el0_svc_common.constprop.0+0x90/0x200 [ 85.278830] do_el0_svc+0x94/0xa4 [ 85.279172] el0_svc+0x78/0x240 [ 85.279491] el0t_64_sync_handler+0x1a8/0x1b0 [ 85.279925] el0t_64_sync+0x1a0/0x1a4 [ 85.280292] [ 85.280454] Freed by task 341: [ 85.280763] kasan_save_stack+0x2c/0x60 [ 85.281147] kasan_set_track+0x2c/0x40 [ 85.281522] kasan_set_free_info+0x2c/0x50 [ 85.281930] __kasan_slab_free+0xdc/0x140 [ 85.282331] slab_free_freelist_hook+0x90/0x250 [ 85.282782] kfree+0x128/0x580 [ 85.283099] kvfree+0x48/0x60 [ 85.283402] netdev_freemem+0x34/0x44 [ 85.283770] netdev_release+0x50/0x64 [ 85.284138] device_release+0xa0/0x120 [ 85.284516] kobject_put+0xf8/0x160 [ 85.284867] put_device+0x20/0x30 [ 85.285204] free_netdev+0x22c/0x310 [ 85.285562] kni_dev_remove.isra.0+0x48/0x64 [rte_kni] [ 85.286076] kni_ioctl_release+0x254/0x320 [rte_kni] [ 85.286573] kni_ioctl+0x64/0xb0 [rte_kni] [ 85.286992] __arm64_sys_ioctl+0xdc/0x120 [ 85.287392] invoke_syscall+0x68/0x1a0 [ 85.287769] el0_svc_common.constprop.0+0x90/0x200 [ 85.288243] do_el0_svc+0x94/0xa4 [ 85.288579] el0_svc+0x78/0x240 [ 85.288899] el0t_64_sync_handler+0x1a8/0x1b0 [ 85.289332] el0t_64_sync+0x1a0/0x1a4 [ 85.289699] [ 85.289862] The buggy address belongs to the object at ffff000260668000 [ 85.289862] which belongs to the cache kmalloc-cg-8k of size 8192 [ 85.291079] The buggy address is located 3424 bytes inside of [ 85.291079] 8192-byte region [ffff000260668000, ffff00026066a000) [ 85.292213] The buggy address belongs to the page: [ 85.292684] page:(____ptrval____) refcount:1 mapcount:0 mapping: 0000000000000000 index:0x0 pfn:0x2a0668 [ 85.293585] head:(____ptrval____) order:3 compound_mapcount:0 compound_pincount:0 [ 85.294305] flags: 0xbfff80000010200(slab|head|node=0|zone=2| lastcpupid=0x7fff) [ 85.295020] raw: 0bfff80000010200 0000000000000000 dead000000000122 ffff0000c000d680 [ 85.295767] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 [ 85.296512] page dumped because: kasan: bad access detected [ 85.297054] [ 85.297217] Memory state around the buggy address: [ 85.297688] ffff000260668c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.298384] ffff000260668c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.299088] >ffff000260668d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.299781] ^ [ 85.300396] ffff000260668d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.301092] ffff000260668e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.301787] =========================================================== Signed-off-by: Huisong Li Signed-off-by: Min Hu (Connor) Acked-by: Ferruh Yigit --- kernel/linux/kni/kni_misc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/kernel/linux/kni/kni_misc.c b/kernel/linux/kni/kni_misc.c index cc5172fefc..d1f6f54aac 100644 --- a/kernel/linux/kni/kni_misc.c +++ b/kernel/linux/kni/kni_misc.c @@ -184,13 +184,17 @@ kni_dev_remove(struct kni_dev *dev) if (!dev) return -ENODEV; + /* + * The memory of kni device is allocated and released together + * with net device. Release mbuf before freeing net device. + */ + kni_net_release_fifo_phy(dev); + if (dev->net_dev) { unregister_netdev(dev->net_dev); free_netdev(dev->net_dev); } - kni_net_release_fifo_phy(dev); - return 0; } @@ -220,8 +224,8 @@ kni_release(struct inode *inode, struct file *file) dev->pthread = NULL; } - kni_dev_remove(dev); list_del(&dev->list); + kni_dev_remove(dev); } up_write(&knet->kni_list_lock); @@ -470,8 +474,8 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num, dev->pthread = NULL; } - kni_dev_remove(dev); list_del(&dev->list); + kni_dev_remove(dev); ret = 0; break; } -- 2.30.2 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2022-02-28 21:17:58.034425089 +0000 +++ 0051-kni-fix-freeing-order-in-device-release.patch 2022-02-28 21:17:54.068934228 +0000 @@ -1 +1 @@ -From d57f2899e29a74fffeb876863e1f570084d6437b Mon Sep 17 00:00:00 2001 +From 8d6bbbc514d0e804595702dd61a4ff626c0a7400 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit d57f2899e29a74fffeb876863e1f570084d6437b ] + @@ -13 +14,0 @@ -Cc: stable@dpdk.org @@ -124 +125 @@ -index ec70190042..780187d8bf 100644 +index cc5172fefc..d1f6f54aac 100644 @@ -127 +128 @@ -@@ -182,13 +182,17 @@ kni_dev_remove(struct kni_dev *dev) +@@ -184,13 +184,17 @@ kni_dev_remove(struct kni_dev *dev) @@ -147 +148 @@ -@@ -218,8 +222,8 @@ kni_release(struct inode *inode, struct file *file) +@@ -220,8 +224,8 @@ kni_release(struct inode *inode, struct file *file) @@ -157 +158 @@ -@@ -468,8 +472,8 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num, +@@ -470,8 +474,8 @@ kni_ioctl_release(struct net *net, uint32_t ioctl_num,